# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

AWSTemplateFormatVersion: "2010-09-09"
Description: Unity Game Server Example Prerequirements

Parameters:
  
  # The Stack name for Backend Resources to get the API Gateway ARN
  BackendServicesStackName:
    Description: CloudFormation stack containing the Backend Services
    Type: String
    Default: fargate-game-servers-backend

Resources:

  # COGNITO RESOURCES

  # Creates a federated Identity pool
  IdentityPool:
    Type: "AWS::Cognito::IdentityPool"
    Properties:
      IdentityPoolName: GameLiftExampleIdentityPool
      AllowUnauthenticatedIdentities: true

  # Create a role for unauthenticated access to AWS resources (used in the example)
  CognitoUnAuthenticatedRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal: 
              Federated: "cognito-identity.amazonaws.com"
            Action: 
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": unauthenticated
      Policies:
        - PolicyName: "CognitoUnauthorizedPolicy"
          PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
              - Effect: "Allow"
                Action:
                  - "cognito-sync:*"
                  - "execute-api:Invoke"
                Resource:
                  Fn::ImportValue:
                    !Sub "${BackendServicesStackName}:FrontEndApiArn"

  # Create a role for authenticated acces to AWS resources. Control what your user can access. This example only allows Lambda invokation
  # Only allows users in the previously created Identity Pool
  CognitoAuthenticatedRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal: 
              Federated: "cognito-identity.amazonaws.com"
            Action: 
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": authenticated
      Policies:
        - PolicyName: "CognitoAuthorizedPolicy"
          PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
              - Effect: "Allow"
                Action:
                  - "cognito-sync:*"
                  - "execute-api:Invoke"
                Resource:
                  Fn::ImportValue:
                    !Sub "${BackendServicesStackName}:FrontEndApiArn"
  
  # Assigns the roles to the Identity Pool
  IdentityPoolRoleMapping:
    Type: "AWS::Cognito::IdentityPoolRoleAttachment"
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles:
        authenticated: !GetAtt CognitoAuthenticatedRole.Arn
        unauthenticated: !GetAtt CognitoUnAuthenticatedRole.Arn

Outputs:
  IdentityPoolID:
    Description: The ID for the identity pool to be used to request identities
    Value: !Ref IdentityPool
    Export:
      Name: !Sub "${AWS::StackName}-IdentityPool"